add more fixes

Author: abenso

fuzzing/FuzzingCommon.cmake

@@ -48,13 +48,13 @@ endif()
 if(ENABLE_COVERAGE)
     message(STATUS "Coverage enabled")
 
-    # Create coverage directory in project fuzz folder
-    file(MAKE_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/fuzz/coverage")
+    # Create coverage directory in project folder
+    file(MAKE_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/coverage")
 
     # Add coverage instrumentation
-    string(APPEND CMAKE_C_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/coverage/%p.profraw -fcoverage-mapping")
-    string(APPEND CMAKE_CXX_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/coverage/%p.profraw -fcoverage-mapping")
-    string(APPEND CMAKE_LINKER_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/fuzz/coverage/%p.profraw -fcoverage-mapping")
+    string(APPEND CMAKE_C_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/coverage/%p.profraw -fcoverage-mapping")
+    string(APPEND CMAKE_CXX_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/coverage/%p.profraw -fcoverage-mapping")
+    string(APPEND CMAKE_LINKER_FLAGS " -fprofile-instr-generate=${CMAKE_CURRENT_SOURCE_DIR}/coverage/%p.profraw -fcoverage-mapping")
 endif()
 
 # Sanitizers configuration

fuzzing/Makefile

@@ -123,6 +123,9 @@ fuzz_report_html:
 		-object $(FUZZ_BUILD_DIR)/fuzz-bech32 \
 		-object $(FUZZ_BUILD_DIR)/fuzz-hexutils \
 		-object $(FUZZ_BUILD_DIR)/fuzz-segwit_addr \
+		-object $(FUZZ_BUILD_DIR)/fuzz-bignum \
+		-object $(FUZZ_BUILD_DIR)/fuzz-zxformat \
+		-object $(FUZZ_BUILD_DIR)/fuzz-timeutils \
 		-instr-profile=$(FUZZ_COVERAGE_DIR)/coverage.profdata \
 		-format=html \
 		-output-dir=$(FUZZ_COVERAGE_DIR)/report_html_unified \

fuzzing/fuzz_local/CMakeLists.txt

@@ -89,4 +89,49 @@ target_include_directories(zxlib_hexutils PUBLIC
 add_fuzz_target(hexutils hexutils_fuzzer.cpp zxlib_hexutils)
 
 # Create library for segwit_addr (reuse existing bech32 sources)
-add_fuzz_target(segwit_addr segwit_addr_fuzzer.cpp zxlib_bech32)
+add_fuzz_target(segwit_addr segwit_addr_fuzzer.cpp zxlib_bech32)
+
+# Find source files for bignum
+file(GLOB BIGNUM_SOURCES
+    "${ZXLIB_SRC_DIR}/bignum.c"
+)
+
+# Create library for bignum
+add_library(zxlib_bignum STATIC ${BIGNUM_SOURCES})
+target_include_directories(zxlib_bignum PUBLIC 
+    ${ZXLIB_INCLUDE_DIR}
+    ${ZXLIB_SRC_DIR}
+)
+
+# Add fuzz target for bignum
+add_fuzz_target(bignum bignum_fuzzer.cpp zxlib_bignum)
+
+# Find source files for zxformat
+file(GLOB ZXFORMAT_SOURCES
+    "${ZXLIB_SRC_DIR}/zxformat.c"
+)
+
+# Create library for zxformat
+add_library(zxlib_zxformat STATIC ${ZXFORMAT_SOURCES})
+target_include_directories(zxlib_zxformat PUBLIC 
+    ${ZXLIB_INCLUDE_DIR}
+    ${ZXLIB_SRC_DIR}
+)
+
+# Add fuzz target for zxformat
+add_fuzz_target(zxformat zxformat_fuzzer.cpp zxlib_zxformat)
+
+# Find source files for timeutils
+file(GLOB TIMEUTILS_SOURCES
+    "${ZXLIB_SRC_DIR}/timeutils.c"
+)
+
+# Create library for timeutils
+add_library(zxlib_timeutils STATIC ${TIMEUTILS_SOURCES})
+target_include_directories(zxlib_timeutils PUBLIC 
+    ${ZXLIB_INCLUDE_DIR}
+    ${ZXLIB_SRC_DIR}
+)
+
+# Add fuzz target for timeutils
+add_fuzz_target(timeutils timeutils_fuzzer.cpp zxlib_timeutils)

fuzzing/fuzz_local/bignum_fuzzer.cpp

@@ -0,0 +1,75 @@
+/*******************************************************************************
+ *   (c) 2025 Zondax AG
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ ********************************************************************************/
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "bignum.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 2) {
+        return 0;
+    }
+
+    // Test bignumLittleEndian_to_bcd and bignumLittleEndian_bcdprint
+    uint8_t bcd_buffer[128];
+    char print_buffer[256];
+    
+    // Limit input size to avoid too large allocations
+    const size_t input_size = (size > 64) ? 64 : size;
+    
+    // Test little endian BCD conversion
+    memset(bcd_buffer, 0, sizeof(bcd_buffer));
+    bignumLittleEndian_to_bcd(bcd_buffer, sizeof(bcd_buffer), data, input_size);
+    
+    // Test BCD to string printing
+    bignumLittleEndian_bcdprint(print_buffer, sizeof(print_buffer), bcd_buffer, sizeof(bcd_buffer));
+    
+    // Test big endian BCD conversion
+    memset(bcd_buffer, 0, sizeof(bcd_buffer));
+    bignumBigEndian_to_bcd(bcd_buffer, sizeof(bcd_buffer), data, input_size);
+    
+    // Test BCD to string printing for big endian
+    bignumBigEndian_bcdprint(print_buffer, sizeof(print_buffer), bcd_buffer, sizeof(bcd_buffer));
+    
+    // Test with various buffer sizes
+    if (size > 4) {
+        const uint16_t bcd_len = (data[0] % 64) + 1;
+        const uint16_t out_len = (data[1] % 128) + 1;
+        
+        if (bcd_len <= sizeof(bcd_buffer) && out_len <= sizeof(print_buffer)) {
+            memset(bcd_buffer, 0, bcd_len);
+            bignumLittleEndian_to_bcd(bcd_buffer, bcd_len, data + 2, input_size - 2);
+            bignumLittleEndian_bcdprint(print_buffer, out_len, bcd_buffer, bcd_len);
+            
+            memset(bcd_buffer, 0, bcd_len);
+            bignumBigEndian_to_bcd(bcd_buffer, bcd_len, data + 2, input_size - 2);
+            bignumBigEndian_bcdprint(print_buffer, out_len, bcd_buffer, bcd_len);
+        }
+    }
+    
+    return 0;
+}

fuzzing/fuzz_local/fuzz_config.py

@@ -36,6 +36,9 @@ def get_fuzzer_configs():
         FuzzConfig(name="base64", max_len=1024),  # base64 fuzzer for encoding
         FuzzConfig(name="hexutils", max_len=512),  # hexutils fuzzer for hex string parsing
         FuzzConfig(name="segwit_addr", max_len=256),  # segwit address fuzzer
+        FuzzConfig(name="bignum", max_len=256),  # bignum fuzzer for BCD conversion
+        FuzzConfig(name="zxformat", max_len=512),  # zxformat fuzzer for string formatting
+        FuzzConfig(name="timeutils", max_len=256),  # timeutils fuzzer for time operations
     ]
 
 

fuzzing/fuzz_local/timeutils_fuzzer.cpp

@@ -0,0 +1,73 @@
+/*******************************************************************************
+ *   (c) 2025 Zondax AG
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ ********************************************************************************/
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "timeutils.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 8) {
+        return 0;
+    }
+    
+    char buffer[256];
+    
+    // Test printTime with various timestamps
+    uint64_t timestamp;
+    memcpy(&timestamp, data, sizeof(uint64_t));
+    
+    // Test printTime function
+    printTime(buffer, sizeof(buffer), timestamp);
+    
+    // Test with smaller buffer sizes
+    printTime(buffer, 50, timestamp);
+    printTime(buffer, 20, timestamp);
+    printTime(buffer, 10, timestamp);
+    printTime(buffer, 1, timestamp);
+    
+    // Test printTimeSpecialFormat if available
+    printTimeSpecialFormat(buffer, sizeof(buffer), timestamp);
+    printTimeSpecialFormat(buffer, 50, timestamp);
+    
+    // Test month functions
+    if (size > 0) {
+        const uint8_t month = data[0] % 13;  // 0-12
+        const char* monthStr = getMonth(month);
+        (void)monthStr;  // Use to avoid warning
+    }
+    
+    // Test decodeTime function
+    if (size >= 8) {
+        timedata_t timedata;
+        decodeTime(&timedata, timestamp);
+        
+        // Also test extractTime
+        extractTime(timestamp, &timedata);
+    }
+    
+    return 0;
+}

fuzzing/fuzz_local/zxformat_fuzzer.cpp

@@ -0,0 +1,121 @@
+/*******************************************************************************
+ *   (c) 2025 Zondax AG
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ ********************************************************************************/
+
+#include <cassert>
+#include <cstddef>
+#include <cstdint>
+#include <cstring>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "zxformat.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    if (size < 4) {
+        return 0;
+    }
+    
+    char buffer[256];
+    
+    // Test int32_to_str with various inputs
+    if (size >= 4) {
+        int32_t value;
+        memcpy(&value, data, sizeof(int32_t));
+        int32_to_str(buffer, sizeof(buffer), value);
+        
+        // Test with smaller buffer sizes
+        int32_to_str(buffer, 10, value);
+        int32_to_str(buffer, 5, value);
+        int32_to_str(buffer, 2, value);
+        int32_to_str(buffer, 1, value);
+    }
+    
+    // Test uint32_to_str with various inputs
+    if (size >= 4) {
+        uint32_t value;
+        memcpy(&value, data, sizeof(uint32_t));
+        uint32_to_str(buffer, sizeof(buffer), value);
+        
+        // Test with smaller buffer sizes
+        uint32_to_str(buffer, 10, value);
+        uint32_to_str(buffer, 5, value);
+        uint32_to_str(buffer, 2, value);
+        uint32_to_str(buffer, 1, value);
+    }
+    
+    // Test fpstr_to_str (fixed point string conversion)
+    if (size >= 16) {
+        char inBuffer[128];
+        const size_t copy_len = (size > 127) ? 127 : size;
+        memcpy(inBuffer, data, copy_len);
+        inBuffer[copy_len] = '\0';
+        
+        // Test with various decimal places
+        const uint8_t decimals = data[0] % 20;
+        fpstr_to_str(buffer, sizeof(buffer), inBuffer, decimals);
+    }
+    
+    // Test pageString function (with correct parameters)
+    if (size >= 32) {
+        char outValue[128];
+        const uint16_t outValueLen = sizeof(outValue);
+        
+        char inValue[64];
+        const size_t copy_len = (size > 63) ? 63 : size;
+        memcpy(inValue, data, copy_len);
+        inValue[copy_len] = '\0';
+        
+        const uint8_t pageIdx = data[0] % 10;
+        uint8_t *pageCount = (uint8_t*)(buffer + 100);
+        
+        pageString(outValue, outValueLen, inValue, pageIdx, pageCount);
+    }
+    
+    // Test fpuint64_to_str 
+    if (size >= 8) {
+        uint64_t value;
+        memcpy(&value, data, sizeof(uint64_t));
+        const uint8_t decimals = data[0] % 10;
+        fpuint64_to_str(buffer, sizeof(buffer), value, decimals);
+    }
+    
+    // Test str_to_int64 with correct parameters
+    if (size > 2) {
+        char str[64];
+        const size_t str_len = (size > 63) ? 63 : size;
+        memcpy(str, data, str_len);
+        str[str_len] = '\0';
+        
+        // Find a reasonable end pointer
+        const char *end = str + str_len;
+        char error = 0;
+        str_to_int64(str, end, &error);
+    }
+    
+    // Test array to hex functions
+    if (size >= 8) {
+        array_to_hexstr(buffer, sizeof(buffer), data, (size > 64) ? 64 : size);
+        array_to_hexstr_uppercase(buffer, sizeof(buffer), data, (size > 64) ? 64 : size);
+    }
+    
+    return 0;
+}

include/zxformat.h

@@ -158,12 +158,20 @@ __Z_INLINE int64_t str_to_int64(const char *start, const char *end, char *error)
     }
 
     int64_t value = 0;
-    int64_t multiplier = 1;
-    for (const char *s = end - 1; s >= start; s--) {
+    const int64_t max_value = INT64_MAX;
+    
+    for (const char *s = start; s < end; s++) {
         int64_t delta = (*s - '0');
         if (delta >= 0 && delta <= 9) {
-            value += delta * multiplier;
-            multiplier *= 10;
+            // Check for overflow before multiplication and addition
+            if (value > (max_value - delta) / 10) {
+                if (error != NULL) {
+                    *error = 1;
+                }
+                return 0;
+            }
+            
+            value = value * 10 + delta;
         } else {
             if (error != NULL) {
                 *error = 1;